Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Experiments Settings page is available to edit_posts, should be manage_options #66117

Closed
2 tasks done
rmccue opened this issue Oct 15, 2024 · 2 comments · Fixed by #66118
Closed
2 tasks done

Experiments Settings page is available to edit_posts, should be manage_options #66117

rmccue opened this issue Oct 15, 2024 · 2 comments · Fixed by #66118
Assignees
@rmccue
Labels
[Status] In Progress Tracking issues with work in progress [Type] Bug An existing feature does not function as intended

Comments

@rmccue
Copy link
Contributor

rmccue commented Oct 15, 2024

Description

The Experiments Settings page is available to users with edit_posts, however the page is for managing site-wide options. Under the hood, these settings use the Settings API which checks manage_options so this isn't strictly a security issue from what I can see, however the page shouldn't be shown to users who cannot edit the options.

If it's intentional to show this so that users can see which settings are enabled, the Save button should be removed and the fields marked as disabled.

Step-by-step reproduction instructions

  1. Grant a user the Editor role
  2. Log in/switch to the user
  3. Observe the Gutenberg > Experiments page is visible in the menu.
  4. Observe that the page can be viewed, despite not having permissions to edit the settings.

Screenshots, screen recording, code snippet

No response

Environment info

No response

Please confirm that you have searched existing issues in the repo.

  • Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

  • Yes
@rmccue rmccue added the [Type] Bug An existing feature does not function as intended label Oct 15, 2024
@rmccue rmccue mentioned this issue Oct 15, 2024
Merged
@github-actions github-actions bot added the [Status] In Progress Tracking issues with work in progress label Oct 15, 2024
@swissspidy
Copy link
Member

For context, this was added in #16626

@mtias
Copy link
Member

mtias commented Oct 17, 2024

Makes sense, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rmccue rmccue

Labels
[Status] In Progress Tracking issues with work in progress [Type] Bug An existing feature does not function as intended
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Correct capability for the Experiments page WordPress/gutenberg
3 participants
@rmccue @mtias @swissspidy